/** * Check for CSRF attacks * * @return bool */ function checkCSRF() { if ($_SERVER['REQUEST_METHOD'] != 'POST') { return FALSE; } $default_url = Context::getDefaultUrl(); $referer = $_SERVER["HTTP_REFERER"]; if (strpos($default_url, 'xn--') !== FALSE && strpos($referer, 'xn--') === FALSE) { $referer = Context::encodeIdna($referer); } $default_url = parse_url($default_url); $referer = parse_url($referer); $oModuleModel = getModel('module'); $siteModuleInfo = $oModuleModel->getDefaultMid(); if ($siteModuleInfo->site_srl == 0) { if ($default_url['host'] !== $referer['host']) { return FALSE; } } else { $virtualSiteInfo = $oModuleModel->getSiteInfo($siteModuleInfo->site_srl); if (strtolower($virtualSiteInfo->domain) != strtolower(Context::get('vid')) && !strstr(strtolower($virtualSiteInfo->domain), strtolower($referer['host']))) { return FALSE; } } return TRUE; }
/** * @brief Change settings */ function procInstallAdminSaveTimeZone() { $db_info = Context::getDBInfo(); $admin_ip_list = Context::get('admin_ip_list'); if ($admin_ip_list) { $admin_ip_list = preg_replace("/[\r|\n|\r\n]+/", ",", $admin_ip_list); $admin_ip_list = preg_replace("/\\s+/", "", $admin_ip_list); if (preg_match('/(<\\?|<\\?php|\\?>)/xsm', $admin_ip_list)) { $admin_ip_list = ''; } $admin_ip_list .= ',127.0.0.1,' . $_SERVER['REMOTE_ADDR']; $admin_ip_list = explode(',', trim($admin_ip_list, ',')); $admin_ip_list = array_unique($admin_ip_list); if (!IpFilter::validate($admin_ip_list)) { return new Object(-1, 'msg_invalid_ip'); } } $default_url = Context::get('default_url'); if ($default_url && strncasecmp('http://', $default_url, 7) !== 0 && strncasecmp('https://', $default_url, 8) !== 0) { $default_url = 'http://' . $default_url; } if ($default_url && substr($default_url, -1) !== '/') { $default_url = $default_url . '/'; } /* convert NON Alphabet URL to punycode URL - Alphabet URL will not be changed */ $default_url = Context::encodeIdna($default_url); $use_ssl = Context::get('use_ssl'); if (!$use_ssl) { $use_ssl = 'none'; } $http_port = Context::get('http_port'); $https_port = Context::get('https_port'); $use_rewrite = Context::get('use_rewrite'); if ($use_rewrite != 'Y') { $use_rewrite = 'N'; } $use_sso = Context::get('use_sso'); if ($use_sso != 'Y') { $use_sso = 'N'; } $use_db_session = Context::get('use_db_session'); if ($use_db_session != 'Y') { $use_db_session = 'N'; } $qmail_compatibility = Context::get('qmail_compatibility'); if ($qmail_compatibility != 'Y') { $qmail_compatibility = 'N'; } $delay_session = Context::get('delay_session'); if ($delay_session != 'Y') { $delay_session = 'N'; } unset($db_info->cache_friendly); $minify_scripts = Context::get('minify_scripts'); if (!$minify_scripts) { $minify_scripts = 'common'; } $use_html5 = Context::get('use_html5'); if (!$use_html5) { $use_html5 = 'N'; } $db_info->default_url = $default_url; $db_info->qmail_compatibility = $qmail_compatibility; $db_info->minify_scripts = $minify_scripts; $db_info->delay_session = $delay_session; $db_info->use_db_session = $use_db_session; $db_info->use_rewrite = $use_rewrite; $db_info->use_sso = $use_sso; $db_info->use_ssl = $use_ssl; $db_info->use_html5 = $use_html5; $db_info->admin_ip_list = $admin_ip_list; if ($http_port) { $db_info->http_port = (int) $http_port; } else { if ($db_info->http_port) { unset($db_info->http_port); } } if ($https_port) { $db_info->https_port = (int) $https_port; } else { if ($db_info->https_port) { unset($db_info->https_port); } } unset($db_info->lang_type); $oInstallController = getController('install'); if (!$oInstallController->makeConfigFile()) { return new Object(-1, 'msg_invalid_request'); } else { Context::setDBInfo($db_info); if ($default_url) { $site_args = new stdClass(); $site_args->site_srl = 0; $site_args->domain = $default_url; $oModuleController = getController('module'); $oModuleController->updateSite($site_args); } $this->setRedirectUrl(Context::get('error_return_url')); } }